SmartCities’s Cyber Security Role and Ethical Challenges

The security and safety challenges of smart cities is an area that interests me a great deal. When reading technical academic research it usually has a very optimistic (almost naive) outlook on how these systems will affect the security architecture of the state. I assume most of engineering professionals are too absorbed in technical implementation with the only goal of: “Can we make it possible?”. As engineers we’re so absorbed with rolling out the next cool thing, Why? Well fame & fortune, but also …

.. that we sometimes forget to ask ourselves:

What are the potential negative effects be in regard to our security, privacy, democracy, freedom, liberty? What are the security holes in this architecture?

I’ve usually seen the topic of “ethical considerations” treated as kind of a nuisance when brought up for debate in these groups. Also I get the feeling from IoT papers on arxive et al that their authors somehow incorrectly assume that ethical questions will be answered by somebody better qualified for that job. Maybe somebody from philosophy, theology? And if not that then the industry, or at last resort for sure the courts will address it?

It is not surprising that most of technical research only highlights benefits, considering a lot of it was government funded (at least in the EU programs like H2020 or FP7 contribute to a large share of smart-cities research). It is quite shocking though how very few of these papers actually consider their proposals in a larger context of public safety and security.

This morning I just stumbled over a really fantastic piece of work[1]: How to mesh-up data in a smart-city taken from IoT sensor devices (environmental, cctv camera footage, face recognition, location) with data from social media posts (twitter & Co). The core focus of their research is a Sentiment Analysis platform to gauge citizen satisfaction in the name of improving local municipal services. Who wouldn’t want that?

As a software engineer I can picture myself architecting such a system. The possibilities are really endless especially when combined with technologies like Streembit or BigchainDB we could have auditing of public services giving us better transparency. Such decentralized systems would appeal a lot to the masses even allowing us to better track the performance over those that rule us. Unfortunately I have not come across any paper that are addressing such solutions.

All papers propose to empower the state but leave it up to the state to see where advantages can be passed to citizens (usually in exchange for recurrent billing of additional services). Data gathered from subscribers becomes available to expected 3rd parties such as law-enforcement, the IRS, the bank or their risk-management proxies. The data will sooner or later be in the hands of individual hackers or in the hands of terrorist organisations or a foreign nation state adversary. It shouldn’t be too hard for even a single attacker breaching a municipal IT facility.

It’s horrible to imagine a scenario where the attacker is a terrorist stealing the data prior a physical attack in that city. Either to amplify the effects of the attack (take over billboards, or SMS communication systems to create fear, etc) or even enable new forms of attacks due to the nature of the freshly gained previously unavailable info. Smart-cities can be a great vehicle in peace for sure. But from a security aspect I’m pessimistic about their related costs even to a stable society, in times of cyber warfare and in the age of Advanced Persistent Threats (APT)? Are smart city project in Poland, and the Baltic countries prepared to have these systems sometimes taken over for display?

The hard question isn’t how to build it. You need some storage, RDBMS, noSQL, tables, stored procedures, some web services, a big data processing backend, if you want to be really revolutionary use a pubic ledger type blockchain to enable simple smart contracts. Harvest your WSN’s data and manage the devices lifecycle over a decentralized tamper proof blockchain. Add some UI and a command and control centre. Interface with your utilities and offer revenue opportunities for vendors who use your platform to target local businesses and services. Done.

I think I just cybered.

I’m sorry. I’m not trying to belittle the technical effort it takes to create a smart-city. But we know the steps and how to make it. We know the individual technologies and protocols behind umbrella-terms (IoT or Smart-Foo). We even know how to pull the right political strings to convince everyone it will be great for everyone and we’ll learn as we go.

But I’m more concerned about what happens if a smartcity decides to flick the switch on democracy. Or are we naive enough to believe that a country which doesn’t shy away from switching off their internet in order to preserve their status-quo will not use the data of it’s local smart city to squash dissent? (… the coup d’état in Turkey, the “orange revolution” in Ukraine, aggression across the Arab world and dividing the enemy based on faith once again. Recent history increasingly becomes littered with horrible examples just as the last generation who witnessed WWII dies out.

A smart city knows almost everything about you, more than your intimate partner and accountant combined. In other words we as citizens and consumers trust that a smart city closely tied to local politics and business will keep those secrets reliably and securely from third parties? Surely, you must be having a laugh?

Critical topics to discuss for SmartCities architects:

SmartCities play a role in cyberwar by increasing the decision making ability based on data. There are many overlaps where defence interests and political interests are concerned. They are all about “preserving peace”. A smart city doesn’t create peace. More accurately it preserves the current state by empowering whoever controls the data. Many features can be implemented in the name of security. To understand how smart-cities empower the defence sector please read:

Cross-Domain Coercion: The Current Russian Art of Military Strategy [link]

Many of our future decisions will be made for us by machines to improve our efficiency. We rely on data to automate our life, it would be essential to critically assess the soundness of our underlying assumptions that the data we trust is safe:

I’ve been following the Santander Smart city project closely in the ETSI workgroups. There is a lot of awesome potential for better services and an improvement in the environment. Smart cities aren’t a technical challenge but a political one. They can be rolled out fast in smaller nations with less bureaucratic complexity. Especially centralised regimes with lean decision making can adopt these solutions very quickly.

Smart cities are not just a way to increase convenience for commuters and better parking systems. They are also a way to Engineer Consent. See Endward L. Bernays 1947 paper who coined this topic and the later BBC 3 part documentary showing our history in this subject since WWII.

But it’s not the IoT aspirations of Luxembourg, Monaco, San Francisco, Santander that worry me. Smart cities are most successful when already run by a smart efficient public sector. Mart cities implemented over complex self serving bureaucratic processes can become an electronic manifestation of stupidity written in code. And we all know how long code stays in the field once it’s shipped?

/*
* function disclaimer()
* When I wrote this, only God and I understood what I was doing.
* Now, God only knows
*/

In this context the idea of “code becoming law” becomes an imminent threat once the decision making process becomes dependent on the new ways of power the data brings. Smart cities become a vehicle of power through their data by allowing the state to better observe citizens behaviour and more importantly in their eyes protect itself against dissent. So especially those currently living under oppressive regimes have a lot to lose. Not to forget the risks if power tilts within a normally moderate country in favour of a right-wing party as seen in recent EU or US local elections. Do we want our rulers (the better and the worse ones) to wield this kind of power of individuals lives?

Many regimes across the globe currently race to showcase their continents 1st smarty-city, and in the process, “Become the regional flagship, then resell the model throughout the rest of the region”. Sounds like the business model fit for a prince? Well, it is.

In conclusion, one doesn’t have to wear a tinfoil hat to understand that these solutions will swing both ways. If you are serious about solutions that empower individuals and interested in how we plan to shape smart city architecture using a P2P driven decentralised design and blockchain transaction proof of consensus to deliver tamper-proof transparency to your citizens you should check out Streembit. We’d love to talk to you about your smart cities initiative and help you define a vendor neutral strategy as well as monetization strategies. All our proposals are built to empower individuals and based on well tested open source components which can be audited against backdoors. We believe that there are better (fairer) ways to monetize than centralized data harvesting, which regardless of all good intention in the end always leads to a security disaster. (find my contact details in the author card below).

Passionate about Open Source, GNU/Linux and Security since 1996. I write about future technology and how to make R&D faster. Expatriate, Entrepreneur, Adventurer and Foodie, currently living near Nice, France.

Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Future-Networks. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, …). We support Open Source and technologies built on open standards.